Multics

Protection

 * ACLs
 * the idea is the protection information will be stored with the object to be accessed, rather than the object doing the accessing
 * capabilities are bootstrapped from the ACLs on disk
 * capabilities must always reflect ACLs (need to sync, which is slow)
 * virtual memory broken into segments, segments broken into pages. Descriptor segments set process rights
 * Gates provide mechanisms for crossing domains
 * Descriptor segments are analogous to an LNS
 * I don't agree completely (edited)- Eric
 * I tend to agree with Jacob though, as the descriptor segment contain all descriptors in an address space. Its analogous in that it holds all of the capabilities for a current process -Tess
 * The following is from the paper. It indicates the setup is similar to that in Unix, where we decided users are protection domains. So users have rights too. - Eric
 * "Associated with each segment is an access control list, an open-ended list of names of users who are permitted to reference the segment. (pg 389-390)"
 * multi-user system, each user is his own protection domain
 * users can subdivide their protection domains using "compartments"
 * Rings of protection provide an additional delineation of protected subsystems
 * Geoff defines the domain as rings -- executing at ring level N gives a process privilege to access code and data at level N and lower protection levels (higher ring numbers).


 * Design Principles**


 * permission rather than exclusion (default is lack of access)
 * check every access to every object for current authority
 * reflected in keeping capabilities synced with ACLs
 * design not secret
 * principle of least privilege - don't run firefox as root
 * easy to use human interface